Legal

Privacy Policy

Last updated: ____.

Draft — under legal review. This page is a starting draft. Final terms will be reviewed by a Singapore-qualified lawyer before public launch.

1. Who we are

Finance AI is operated by wGrow Technologies Pte Ltd, a private limited company incorporated in Singapore ( UEN: ____, registered office: Singapore). For the purposes of the Singapore Personal Data Protection Act 2012 (“PDPA”), we are the Data Intermediary in respect of Customer Data, and we are the Data Controller in respect of website-visitor data (e.g. lead-form submissions, account-holder profiles).

2. What personal data we collect

  • Account data: name, email, role, organisation.
  • Lead-form data: name, work email, company name, UEN (optional), GST scheme, entity count, message — submitted at /contact.
  • Customer Data: financial documents and ledger data you upload for processing. This may include names of your customers, suppliers, employees, and directors.
  • Operational data: pipeline run logs (model name, token counts, run duration, cost) tied to your tenant.
  • Technical data: IP address, browser user-agent, and session cookies (set by Supabase Auth — strictly necessary).

3. How we use it

  • Provide and operate the service.
  • Communicate with you about your account, billing, and service updates.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations under Singapore law.
  • Improve the service in aggregate (we do not use Customer Data to train AI models).

4. Legal bases under PDPA

We rely on (a) consent — which you give by submitting the lead form, accepting these Terms, or continuing to use the service — and (b) legitimate interests in operating, securing, and improving the service. You may withdraw consent at any time as described in Section 8.

5. Third parties we share data with

  • Supabase, Inc. — our Postgres + auth provider. Customer Data is hosted in a Southeast-Asia region. We do not move it outside this region without your explicit written consent.
  • Google LLC (Gemini API) — powers the agent reasoning. We send only the relevant context for the current agent step. Google is contractually bound under the Gemini API data-processing terms not to use this data to train Google’s models.
  • Google LLC (Gmail API) — sends transactional notifications (lead-form, user invites, password reset). We do not use Gmail to send Customer Data.
  • Service providers under written contracts — payment processors, security-monitoring vendors, etc., under PDPA-compliant data-processing agreements.
  • We do not sell personal data.

6. Data residency

Customer Data is hosted on infrastructure pinned to the Southeast Asia region. Backups remain in-region. Agent reasoning calls (Google Gemini) are routed to the closest Google region with the no-training data-processing terms applied.

7. Retention

We retain Customer Data for as long as your account is active. On termination, we delete it within 30 days unless retention is required by Singapore law — specifically, financial records that ACRA and IRAS require to be retained for at least five years from the relevant year of assessment. Lead-form data submitted at /contact is retained until you ask us to delete it or for two years from your last interaction, whichever is sooner.

8. Your rights under PDPA

You have the right to (a) request access to your personal data, (b) request correction of inaccurate data, (c) withdraw consent for our processing (note: withdrawing consent may end your ability to use the service), and (d) request deletion subject to our legal retention obligations. Submit requests to the Data Protection Officer at the address in Section 14.

9. Cookies

We set only the strictly-necessary session cookies required to keep you signed in (via Supabase Auth). We do not set advertising, analytics, or marketing cookies at this time. We do not use third-party trackers.

10. Children

The service is not directed at, and not designed for, persons under the age of 18. We do not knowingly collect data from minors.

11. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including TLS in transit, AES-256 at rest, role-based access control, and Postgres row-level security. No system is perfectly secure; we cannot guarantee absolute security.

12. Data breach notification

We follow Singapore PDPC guidelines on data-breach notification. We will notify affected customers and, where required, the PDPC within 72 hours of confirming a notifiable breach.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to your account email at least 30 days before they take effect. The “Last updated” date below reflects the most recent change.

14. Data Protection Officer

Our Data Protection Officer can be contacted at [email protected]. For privacy concerns we cannot resolve, you may contact the Singapore Personal Data Protection Commission at https://www.pdpc.gov.sg.

Last updated: ____.